PHP MYSQL login system - From the ground up

As I said,
I would like to make a PHP login /Register system that would be free for anyone. Here I have started. Since Iam not expert, then I will be adding small pieces until something emerges.

I hope DW guys will help until it grows to mature. I want to apply some OOP.

Feel free to criticize and add/remove anything, but state why you did that and explain where you do complex stuffs so that I don't get lost. After it mature I will do host it somewhere (google code or SF)

Ok, you've made a db connection.
Why not write the rest of it?
The only thing I can add is to use POST instead of GET which , surprisingly, I see many people doing here.
Encrypt the passwords.
Now the ball is in your court!

diafol

9 Years Ago

Ev - you haven't actually done anything w.r.t. login - just produced a connection script. Are you going to follow up or are you waiting for input.

Yes, Please go ahead all while contributing to the script.
Even I am eager to see the login script evolving as OOP pattern.
I recommend generalizing the DB class first and inheritation of it later to have the construct passed with some random flag too, which will avoid the mysql injection.
Also the query filtering and the comparision of every table in the query from the existing list declared in the DB class.

It seems this one function is ok. The reason I wanted your input on this is because I wanted it to go right. I know it is almost 0.5 of big number but I see it is ok and I will now proceed. No sooner I will start my coding

Wow 25 digit id ! We only have 4 billion people on the planet! LOL
Also, I like to declare it as unsigned so that the entire size is available.
I believe that INT reserves half for negative numbers which is not necessary for an id.
The password field seems a bit large too.

As far as your 'id' type goes, int(11) unsigned should be good. It's a pretty popular size as far as I've noticed. As far as your password type goes, 100 is very large. I would imagine 32-40 would be plenty depending on your encryption method. I've been toying with some sha1 encryption methods lately while I've been learning.

I'm just learning all this at the moment, so correct me if I'm wrong. Anything I've said comes from all the reading I've been doing on this over the past couple weeks. I'm very interested in this topic so I'll continue to follow and offer any help I can, and learn along the way. OO PHP has confused me quite a bit so far, so I don't know how much help I could be.

The longest encryption strings I've sees in use is 48 chars.
I don't think you need even that much!
It depends on how paranoid you are about hackers.
Unless you are doing this for the DOD m, bank or NSA, where they are willing to put a lot of effort into the task, any reasonable MD5 encryption should be fine.

The longest encryption strings I've sees in use is 48 chars.
I don't think you need even that much!
It depends on how paranoid you are about hackers.
Unless you are doing this for the DOD m, bank or NSA, where they are willing to put a lot of effort into the task, any reasonable MD5 encryption should be fine.

I wouldn't use MD5 any longer, there are a multitude of sites online where you can enter an MD5 hash and it will return a valid string within seconds.
Easiest solution would be to salt the string first:

It will still generate the nice 32 char hash, but will be harder to reverse :)

OFC, MD5 on its own is good enough for a personal site, but not much else. If you are allowing other people to sign up i.e a community site, you want something a bit more, well more.

Edited
9 Years Ago
by Will Gresham: n/a

diafol

9 Years Ago

Salted hash should be fine for md5 - as long as salt isn't a common word. The sites offering reversal of md5's are often 'dictionaries' or rainbow sites that have a huge db of words - they don't tend to work very well with gibberish passwords. They also tend to focus on English words.

Salted hash should be fine for md5 - as long as salt isn't a common word. The sites offering reversal of md5's are often 'dictionaries' or rainbow sites that have a huge db of words - they don't tend to work very well with gibberish passwords. They also tend to focus on English words.

Thanks guys I will do that. But before I jump to encryption (I know what sparked that but let's reserve a little bit). I want to have a single function to sanitize the POST array. Below is the list of google return. I don't want overkill in doing this but I want to deal with something clean in next stage. So, what are other functions to sanitize/clean my variable I need. I see addslashes and magic quotes but I'm not expert.
Thanks

Ok, based on suggestion and tutorial I am glad to post my login form and some login function foundation functions to clean data. Since I will register users' First and Last names, email address and username/password I have function to sanitize names and email. See it and scrutinize before I move to another thing. As I said, I will be out the net until tomorrow so I will respond there!
Cheers :)

Ok I something is wrong on above code. Line 24 I forgot to write keyword

function

Anyway, I want to write a empty validation function in PHP but I'm tempted to do it in Javascript. What do you suggest? I do it with in JS so that no empty form is submitted or allow submission but validate on server with PHP?
Thanks